Resign a zone
Torinthiel
torinthiel at data.pl
Tue Nov 8 09:44:41 UTC 2011
On 2011-11-08 10:34, rams wrote:
> Hi ,
> I have signed zone and already i have resigned two times. Now again i
> am resigning zone but after resign zone , RRSIG values are not changed.
> the same old values displaying. Any wrong in me. Could you please guide
> me how to change RRSIG values.
There could be several issues with this, please give some more info. How
are you signing your zone? dnssec-signzone? automatically using bind?
Some other software?
If you're using dnssec-signzone and pass it old signed zone data it
regenerates signatures only if signature end time falls within a period
defaulting to 1/4 signature valitity time (so with default signature
period it's 7.5 days). If you re-sign your zone say 10 days in advance,
it won't change old signatures. You can change it with -i. Other
software probably behaves similarly.
Also, if you're signing your zone off-line and upload it to bind, did
you remember to change SOA and reload master?
Regards,
Torinthiel
More information about the bind-users
mailing list